Adding authorized networks for cluster master access

This page explains how to grant authorized network access to cluster masters in
Google Kubernetes Engine clusters. For general information about
GKE networking, visit the
Network Overview.

Overview

Authorized networks allow you to whitelist specific CIDR ranges and allow
IP addresses in those ranges to access your cluster master endpoint using
HTTPS. Authorized networks are compatible with all clusters.

GKE uses both Transport Layer Security (TLS) and
authentication to provide secure access to your cluster master
endpoint from the public Internet. This provides you the flexibility to
administer your cluster from anywhere. By using authorized networks, you can
further restrict access to specified sets of IP addresses.

Benefits

Adding authorized networks can provide additional security benefits for your
cluster. Authorized networks grant access to a specific set of addresses that
you designate, such as those that originate from your environment. This can help
protect access to your cluster in the case of a vulnerability in the
cluster's authentication or authorization mechanisms.

Benefits with private clusters

Private clusters run nodes without external IP addresses, and optionally run
their cluster master without a publicly-reachable endpoint. Additionally,
private clusters do not allow GCP IP addresses to access the
cluster master endpoint by default. Using private clusters with authorized
networks makes your cluster master reachable only by the whitelisted CIDRs, by
nodes within your cluster's VPC, and by Google's internal production jobs that
manage your master.